b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nAudit Report\nThe Department of Energy\'s\nImplementation of Homeland\nSecurity Presidential Directive 12\n\n\n\n\nDOE/IG-0860                       February 2012\n\x0c                                  Department of Energy\n                                     Washington, DC 20585\n                                         February 28, 2012\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM:                     Gregory H. Friedman\n                          Inspector General\n\nSUBJECT:                  INFORMATION: Audit Report on "The Department of Energy\'s\n                          Implementation of Homeland Security Presidential Directive 12"\n\nINTRODUCTION AND OBJECTIVE\n\nHomeland Security Presidential Directive 12 (HSPD-12), Policies for a Common Identification\nStandard for Federal Employees and Contractors, was established in August 2004 to enhance\nnational security and mandate the use of a Federal government-wide standard for secure and\nreliable forms of identification for Federal employees and contractors. HSPD-12 required that\nthe identification be issued based on sound criteria for verifying an employee\'s identity; strongly\nresistant to identity fraud, tampering, counterfeiting and terrorist exploitation; able to be rapidly\nauthenticated electronically; and, issued only by providers with reliability established by an\nofficial accreditation process. Full implementation of HSPD-12 includes badge issuance, and\nphysical and "logical access control" systems. "Logical controls" rely on computer hardware and\nsoftware to prevent unauthorized access. While badge issuance is the initial step and involves\nproviding credentials to all employees and contractors that are covered by HSPD-12, logical and\nphysical access controls entail using the credential to gain access to information systems and\nFederal facilities, including those that are Government-owned and contractor-operated.\n\nThe Department of Energy initiated its HSPD-12 efforts in 2004 and has spent more than $15\nmillion, most of which was dedicated to issuance and maintenance of badges. However, recent\nOffice of Management and Budget guidance directed that Federal agencies should have physical\nand logical access controls fully installed and that policy be issued by each agency to ensure all\nnew systems under development be enabled to use HSPD-12 credentials. OMB also directed\nthat, effective the beginning of Fiscal Year 2012, physical and logical access controls be\nupgraded to use HSPD-12 credentials prior to using development and technology refresh funds\nto complete other activities, and noted that agencies\' processes must accept and electronically\nverify HSPD-12 credentials issued by other Federal agencies. In light of the updated OMB\nrequirements, we initiated this audit to determine whether the Department implemented physical\nand logical access controls in accordance with HSPD-12.\n\nRESULTS OF AUDIT\n\nWe found that, despite 7 years of effort and expenditures of more than $15 million, the\nDepartment had yet to meet all HSPD-12 requirements. In particular, the Department had not\nfully implemented physical and logical access controls in accordance with HSPD-12.\n\x0cFurthermore, the Department had not issued HSPD-12 credentials to many uncleared contractor\npersonnel at its field sites. Specifically:\n\n   \xe2\x80\xa2   None of the 5 field sites reviewed had fully implemented physical access controls in\n       accordance with HSPD-12 for the more than 40,000 employees requiring access to those\n       facilities. While the Oak Ridge National Laboratory and the East Tennessee Technology\n       Park had started implementing physical controls using HSPD-12 credentials, the\n       remaining sites had not begun work, and none had a fully developed system in place as\n       defined by HSPD-12 and Department guidance. As noted by the National Institute of\n       Standards and Technology, utilizing the full functionality of HSPD-12 credentials for\n       physical access is important because it is more secure and reliable than traditional\n       controls currently in use;\n\n   \xe2\x80\xa2   The Department had made progress for utilizing the HSPD-12 credential to authenticate\n       user access to information systems; however, additional work was needed. For example,\n       although Headquarters and the Oak Ridge Office were using badges on a limited basis to\n       allow network access, none of the sites reviewed had fully implemented logical access\n       controls for all information systems and applications as required by HSPD-12. In fact,\n       many sites had not even begun to implement logical controls even though the\n       requirement to begin this work had been in place for approximately 5 years. Federal\n       guidelines note that some of the benefits of using the HSPD-12 credential for logical\n       access include electronic authentication of the credential at the time of use, which cannot\n       be achieved with usernames and passwords; and,\n\n   \xe2\x80\xa2   Contrary to the goals and requirements of the directive, four of the five field sites we\n       reviewed did not provide HSPD-12 credentials to contractors that did not hold a security\n       clearance. The fifth site, Oak Ridge Office, issued badges to these employees only when\n       they met certain unique requirements, such as the need for travel to other Department\n       sites. We noted that over 11,000 of 40,000 (27 percent) individuals without security\n       clearances that required routine access to sites for a period in excess of 6 months had not\n       been issued HSPD-12 credentials. While the Department\'s current badging processes\n       provided certain security assurances, the processes did not include all background checks\n       required by HSPD-12. Federal regulations emphasized that issuance of the credential be\n       based on sound criteria for identity verification and highly resistant to identity fraud,\n       counterfeiting and tampering.\n\nWe noted what we considered to be a lack of a coordinated approach among programs and sites\nrelated to implementation of HSPD-12 requirements. In particular, we found that guidance\nprovided by management was fragmented and often inadequate to meet the goals of the\ninitiative. In addition, ongoing efforts suffered from a lack of coordination among programs and\nsites to determine the cost, scope and schedule of work required to implement HSPD-12\nrequirements. Further, several programs and sites visited had not established budgets in an\nattempt to obtain funding to support HSPD-12 activities.\n\nOMB has concluded that the use of HSPD-12 credentials provides more secure access to Federal\nfacilities, enhanced cyber security and reduced overall costs. However, until physical and logical\n\n\n\n                                                2\n\x0caccess controls are fully implemented in accordance with HSPD-12, the Department will\ncontinue to pay significant maintenance costs for credentials without realizing the full benefits.\n\nIn response to a preliminary draft of our report, management officials noted that in certain\ninstances, such as construction contractors that are often restricted to certain areas and never\naccess Federal data systems, providing an HSPD-12 credential provides little additional benefit,\nand as such, is not cost effective. The Office of Inspector General has long been a proponent of\na risk-based approach to physical and cyber security. As such, we agree that cost/benefit\nrealities can impact the nature and extent of security control measures. That said, however, we\nalso believe that it would be in the Department\'s best interest to consult with OMB if it plans to\nadopt a process that does not fully comport with HSPD-12.\n\nWe found that some sites had initiated action to implement physical and logical access controls\nsupporting the goals of HSPD-12. For example, the Oak Ridge National Laboratory anticipated\nthat its physical access controls would be compliant by March 2012. Officials from other sites,\nincluding Oak Ridge Office and East Tennessee Technology Park, stated that they planned to\nimplement their own physical controls based on the Oak Ridge National Laboratory\'s outcome\nand lessons learned. These are positive actions; however, additional effort is necessary to ensure\nthat controls are implemented to meet the goals of HSPD-12. As such, we have made several\nrecommendations that, if fully implemented, should improve the Department\'s ability to\neffectively implement physical and logical access controls in accordance with HSPD-12.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that it had initiated\ncorrective action to address issues identified in our report. In separate comments, National\nNuclear Security Administration concurred with the report\'s findings and stated that it will use\nthe findings to improve the management and oversight of its implementation of HSPD-12.\nManagement\'s comments are included in Appendix 3.\n\nAttachment\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Under Secretary for Nuclear Security\n      Acting Under Secretary of Energy\n      Director, Office of Science\n      Chief Health, Safety and Security Officer\n      Chief Information Officer\n      Acting Chief Financial Officer\n      Chief of Staff\n\n\n\n\n                                                  3\n\x0cREPORT ON THE DEPARTMENT OF ENERGY\'S IMPLEMENTATION\nOF HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12\n\n\nTABLE OF\nCONTENTS\n\n\nImplementation and Credential Issuance\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations and Comments ...................................................................................................8\n\n\nAppendices\n\n1. Objective, Scope and Methodology .........................................................................................10\n\n2. Related Reports ........................................................................................................................12\n\n3. Management Comments ..........................................................................................................14\n\x0cTHE DEPARTMENT OF ENERGY\'S IMPLEMENTATION OF HOMELAND\nSECURITY PRESIDENTIAL DIRECTIVE 12\n\nImplementation and    Although the Department of Energy (Department) had invested\nCredential Issuance   7 years of effort and expended more than $15 million, it had yet to\n                      complete implementation of Homeland Security Presidential\n                      Directive 12 (HSPD-12) requirements. While the Department spent\n                      funds on installation of badge stations, badge issuance and monthly\n                      credential maintenance fees, we found that it had not fully\n                      implemented physical access control systems utilizing the HSPD-12\n                      credential to restrict access to only those areas for which an\n                      individual is authorized. In addition, none of the sites reviewed had\n                      developed logical access controls to information systems and\n                      applications in accordance with HSPD-12. Furthermore, the\n                      Department had not issued HSPD-12 credentials to uncleared\n                      contractors at its field sites. While the Department\'s current\n                      badging processes provided certain assurances, all background\n                      checks required by HSPD-12 were not included.\n\n                                   Physical Access Controls Implementation\n\n                      Of the 5 field sites reviewed, none had fully implemented physical\n                      access control systems using HSPD-12 credentials for the more\n                      than 40,000 employees requiring access to those facilities.\n                      HSPD-12 physical access controls allow for the user\'s credential to\n                      be electronically validated so that terminated or expired credentials\n                      cannot be used to inappropriately access Federal facilities. While\n                      the Oak Ridge National Laboratory (ORNL) and East Tennessee\n                      Technology Park (ETTP) had started implementing physical access\n                      controls, the remaining sites had not begun work, and none had a\n                      fully developed system in place as defined by HSPD-12 and\n                      Department guidance.\n\n                      Three locations reviewed, with a total population of approximately\n                      26,000 workers, had not begun physical access controls\n                      implementation, which would provide the Department with\n                      enhanced security and potentially reduce overall costs. For\n                      example, as of July 2011 \xe2\x80\x93 seven years after the directive was\n                      issued \xe2\x80\x93 the Oak Ridge Office (ORO) was still working to\n                      purchase and install badge readers. In addition, although the Y-12\n                      National Security Complex (Y-12) planned to install a HSPD-12\n                      compliant physical security system, it had not begun work on the\n                      project because of a lack of funding. Similarly, the Savannah\n                      River Site (SRS) had not implemented a physical access control\n                      system that would accept the functionality of the HSPD-12\n                      credential. Limited progress was also observed at the remaining\n                      sites reviewed. In particular, badge readers in ORNL\'s high\n\n\n\n\nPage 1                                                                 Details of Finding\n\x0c         security areas were not functional because it was in the process of\n         obtaining software updates, and ETTP had not installed all of its\n         HSPD-12 badge readers.\n\n         We also found that four of six locations reviewed did not utilize\n         the internal HSPD-12 badge smart chip functionality to control\n         access to facilities. Instead, the Department modified its HSPD-12\n         badges with the addition of a magnetic stripe to work with existing\n         badge readers. Though the remaining locations used some of the\n         smart chip\'s capability, validation checks were not fully performed\n         to control facility access. This approach was appropriate during\n         the Department\'s transition to HSPD-12 credential use. However,\n         continued reliance on the magnetic stripe allowed the Department\n         to delay utilizing the HSPD-12 credential\'s smart chip, that\n         contains the owner\'s unique Personal Identity Verification (PIV)\n         information and should be used to authenticate the identity of the\n         cardholder. Notably, Headquarters had recently taken action to\n         implement the smart chip functionality at its facilities.\n\n                      Logical Access Controls Implementation\n\n         The Department had made progress utilizing HSPD-12 credentials\n         to authenticate user access to information systems; however,\n         additional work was needed. While Headquarters and ORO were\n         using badges on a limited basis to allow network access, none of\n         the locations reviewed had fully implemented logical access\n         control systems for all information systems and applications. As\n         noted in the table below, less than 3 percent of the nearly 23,000\n         users requiring system access at the field sites reviewed were using\n         their credentials for such access.\n\n\n                                       Users            Total\n                                  Authenticating      Number of\n               Location                                              Percentage\n                                   via HSPD-12         System\n                                    Credential          Users\n         Y-12                             0             6,400           0.0%\n         ORO                            557             1,056          52.7%\n         ORNL                             0             6,200           0.0%\n         ETTP                             0             1,500           0.0%\n         SRS                             45             7,565           0.6%\n         Total \xe2\x80\x93 Field Sites            602            22,721          2.6%\n         Headquarters                  6,630            7,030           94%\n         Total \xe2\x80\x93 All Locations         7,232           29,751           24%\n\n\n\n\nPage 2                                                    Details of Finding\n\x0c         According to planning documentation provided by the Department,\n         using HSPD-12 credentials for access to information systems and\n         applications provides for electronic authentication of the credential\n         at the time of use, which cannot be achieved with the Department\'s\n         current logical access controls of usernames and passwords. In\n         addition, as noted in a recent U.S. Government Accountability\n         Office report, the process of electronic authentication with the\n         HSPD-12 credential significantly enhances the security of a\n         computer system because it is more difficult for an intruder to\n         circumvent. Also, each of the sites reviewed still had not acquired\n         all of the necessary infrastructure such as PIV card readers and\n         authentication software so that the badge\'s functionality could be\n         used to access the Department\'s systems.\n\n                                 Credential Issuance\n\n         We found that four of the five sites reviewed did not provide\n         HSPD-12 badges to contractors that did not hold a security\n         clearance. One of the four sites, SRS, had recently curtailed its\n         practice of issuing HSPD-12 credentials to all site personnel due to\n         budget concerns. In addition, a fifth site issued the badges to\n         employees only when they met certain requirements, such as the\n         need to travel to other Department sites. According to HSPD-12\n         guidance issued by the Office of Management and Budget (OMB),\n         the directive is applicable to all Federal employees and contractors\n         requiring routine access to Federal facilities or information systems\n         for greater than 6 months. Further, the Federal Chief Information\n         Officers Council (CIO Council) recently clarified that badges not\n         meeting HSPD-12 requirements could not be issued to individuals\n         that fell within the applicability of the directive. Issuance of the\n         HSPD-12 credential requires completion of a National Agency\n         Check with Inquiries (NACI) investigation that includes a Federal\n         Bureau of Investigation (FBI) name and fingerprint check; Office\n         of Personnel Management (OPM) Suitability Clearance Index and\n         Defense Clearance Index check; written inquiries and searches of\n         records for the past 5 years in the areas of employment, education\n         and law enforcement; and, written inquiries and searches of\n         records for the past 3 years in the areas of residences and\n         references.\n\n         Contrary to Federal direction, the Department issued guidance that\n         HSPD-12 badges were not required for uncleared contractor\n         employees at field sites, even if they maintained routine access to\n         sites and/or information systems for periods in excess of 6 months.\n         As a result, over 11,000 individuals (27 percent of the total\n         population), without security clearances that required routine\n         access to sites for a period in excess of 6 months, had not been\n\nPage 3                                                    Details of Finding\n\x0c         issued HSPD-12 credentials. Based on documentation provided by\n         Department officials, we also noted that the Lawrence Berkeley\n         National Laboratory had issued HSPD-12 badges to only 51 of\n         3,948 (less than 2 percent) permanent personnel \xe2\x80\x93 those individuals\n         requiring site access for a period longer than 6 months.\n\n         While employees not receiving HSPD-12 badges did undergo\n         various identity verification activities, as determined by the site,\n         the procedures were generally less robust than, and did not include\n         all elements of, a NACI review. For example, Y-12\'s site\n         procedures, developed to meet National Nuclear Security\n         Administration (NNSA) guidance, did not require the FBI and\n         OPM checks described above for non-HSPD-12 badge issuance.\n         Rather, Y-12 required the presentation of two forms of\n         identification and a check of previous employers, education and\n         references prior to badge issuance. As such, the site\'s identity\n         verification activities were not as substantive as the NACI. In\n         addition, identity verification activities were inconsistent among\n         sites and were subject to change at the sites\' discretion. As\n         employees at many sites required routine access to Federal\n         facilities and systems, their identities should have been verified in\n         accordance with the Presidential directive. Further, one\n         Department security official stated that not providing HSPD-12\n         badges to contractors that did not hold a security clearance was\n         contrary to best business practices and allowed the largest segment\n         of the Department\'s population, on which there was no background\n         information, to have unescorted access to Department facilities.\n\n         Completion of robust background checks, such as those required\n         by HSPD-12, may have prevented the issues related to identity\n         proofing highlighted in two recent Office of Inspector General\n         reports. For example, our inspection on Verification of Lawrence\n         Berkeley National Laboratory\'s Contract Workers\' Eligibility to\n         Work in the U.S. (DOE/IG-0850, April 2011) identified eight\n         individuals that had duplicate social security numbers, numbers\n         belonging to deceased individuals or numbers that had yet to be\n         issued \xe2\x80\x93 anomalies that would have been discovered had an\n         effective HSPD-12 process been in place. In addition, our audit on\n         Environmental Cleanup Projects Funded by the Recovery Act at\n         the Y-12 National Security Complex (OAS-RA-L-11-02, December\n         2010) determined that Y-12 had not used a third party to\n         independently verify citizenship documentation provided by its\n         workers. In both cases, had the sites used HSPD-12 background\n         investigation procedures to obtain independent proof of citizenship\n         for workers, the risk of unauthorized workers inappropriately\n         gaining access to Federal facilities would have been significantly\n         reduced.\n\nPage 4                                                    Details of Finding\n\x0c                       Rather than issue HSPD-12 credentials to all applicable\n                       contractors, the Department planned to develop a separate badge,\n                       commonly referred to as the PIV-Interoperability (PIV-I)\n                       credential. However, the CIO Council noted that while it was a\n                       valid credential, the PIV-I was only to be used for individuals not\n                       requiring routine access to Federal facilities and systems. Contrary\n                       to this guidance, the Department spent considerable time and effort\n                       determining how this credential would be implemented for its\n                       contractor personnel that did require routine access.\n\nCoordinated Approach   The issues identified were due to the lack of a coordinated\nto HSPD-12             approach among offices and sites related to implementation of\n                       HSPD-12 requirements. In particular, we found that leadership\n                       and guidance provided by management was fragmented and not\n                       adequate to meet the goals of HSPD-12. In addition, ongoing\n                       planning and implementation efforts suffered from a lack of\n                       coordination among offices and sites to determine the cost, scope\n                       and schedule of work required to meet HSPD-12 requirements.\n\n                                            Leadership and Guidance\n\n                       We found that leadership and guidance provided by management\n                       was not adequate to meet the goals of HSPD-12. Specifically, a\n                       number of Department officials commented that they believed\n                       HSPD-12 would be rescinded when the current Administration\n                       took office in 2009. As a result, the Department had not developed\n                       adequate plans for implementing physical and logical access\n                       controls using the HSPD-12 credential within the designated\n                       timeframes established by OMB. In addition, while the Office of\n                       Health, Safety and Security oversaw an effort to issue HSPD-12\n                       badges across numerous sites, the Department\'s guidance regarding\n                       badge issuance activities was insufficient. For example, sites\n                       relied on a 2005 Department memorandum issued by the Deputy\n                       Secretary, at the time, that allowed programs to determine whether\n                       uncleared contractors at field sites would be issued HSPD-12\n                       credentials. In June 2011, this guidance was incorporated into a\n                       Department Order. However, the memorandum and Order both\n                       contradicted HSPD-12 and direction that was recently re-enforced\n                       by OMB. We also learned that the Department\'s Office of the\n                       Chief Information Officer (OCIO) recently issued a memorandum\n                       outlining a requirement to integrate physical and logical access\n                       controls using the HSPD-12 credential.\n\n\n\n\nPage 5                                                                 Details of Finding\n\x0c                                              Coordinated Approach\n\n                       We also noted that ongoing planning and implementation efforts\n                       suffered from a lack of coordination among programs and sites to\n                       determine the cost, scope and schedule of work required to\n                       implement HSPD-12 requirements. In particular, even though it\n                       had not implemented HSPD-12 physical and logical access control\n                       systems, the Department had not developed an implementation\n                       plan for utilization of PIV credentials as required by OMB\n                       Memorandum 11-11. For example, of the four offices reviewed,\n                       only the NNSA had developed an implementation plan that fully\n                       supported HSPD-12, and the Office of Science (Science) had\n                       developed an implementation plan supporting logical access\n                       controls. To enhance ongoing efforts, the OCIO established an\n                       Integrated Project Team (IPT) in 2011 to help align HSPD-12\n                       implementation activities and improve coordination among offices.\n                       However, at the time of our review, the IPT had not been in\n                       existence long enough for us to evaluate its success. Finally, none\n                       of the five sites reviewed had a site-wide plan for full HSPD-12\n                       implementation. We also noted that several of the offices and sites\n                       reviewed had not included HSPD-12 in their budgets in an attempt\n                       to obtain funding to support these activities even though the\n                       requirement had existed for 7 years.\n\n                       Furthermore, communication from offices to respective field sites\n                       was not effective. For example, NNSA officials at Headquarters\n                       indicated that Y-12 was implementing physical access controls as\n                       part of its ongoing Security Improvement Project. However,\n                       during our site visit, we found that physical access controls in only\n                       a small number of closed areas were included in the project. In\n                       addition, although Science officials indicated that they believed\n                       funding should be put towards other mission-related work instead\n                       of implementation activities, we noted that ORNL was moving\n                       forward with its upgrade to its physical access control system in\n                       support of HSPD-12.\n\nRealization of Goals   Until physical and logical access control systems are fully\nand Objectives         implemented in accordance with HSPD-12, the Department will\n                       continue to pay significant maintenance costs for credentials\n                       without realizing the full benefits. As noted in HSPD-12, benefits\n                       can include more secure access to Federal facilities, improved\n                       cyber security, reduced costs and enhanced resistance to identity\n                       fraud, counterfeiting, tampering and terrorist exploitation. In\n                       addition, Department documentation noted that the use of HSPD-\n                       12 credentials would create a streamlined and synchronized\n                       process for managing access controls, that will work with other\n                       agencies, facilities and applications to improve operational\n\nPage 6                                                                  Details of Finding\n\x0c         effectiveness and efficiency. Finally, OMB also directed that\n         beginning in Fiscal Year 2012, development and technology\n         refresh funding will be limited to HSPD-12 implementation\n         activities until use of the credential is completely implemented.\n         Therefore, until that time, the Department\'s activities requiring\n         such funding will be restricted.\n\n         Also, the Department may have circumvented the intent of HSPD-\n         12 by limiting credential issuance at its field sites to only\n         contractor employees that had already had their identities verified\n         through a robust security clearance process. As previously noted,\n         the HSPD-12 process was developed in an effort to increase\n         security by verifying the identity of any individual working at a\n         Federal facility for an extended period of time. However, the\n         Department\'s decision to rely on site-level verification processes\n         that were not as robust and have been demonstrated to have\n         weaknesses restricted its ability to gain this type of assurance or\n         security for its uncleared and more transient population. In\n         addition, as a result of its decision to exclude certain contractors,\n         progress of the Department\'s HSPD-12 efforts being reported to\n         OMB was inflated because it only included contractor personnel\n         that held security clearances. Specifically, at the six locations for\n         which we have data, the Department reported that 94 percent of the\n         total population had received an HSPD-12 badge. However, as\n         this figure did not account for uncleared workers, we determined\n         that the Department had only provided HSPD-12 badges to 53\n         percent of the total population at these sites that met HSPD-12\n         requirements.\n\n         Furthermore, the Department continued to expend time and\n         resources on efforts to identify alternatives to HSPD-12 badges\n         that could have been better spent implementing the directive. As\n         the identity-proofing alternatives did not include all verification\n         activities required by HSPD-12, continued issuance of\n         noncompliant credentials may hinder the Department\'s ability to\n         sufficiently verify the identity of its employees and ensure that\n         badges meet the goals of the Administration. In addition, the level\n         of security offered by an HSPD-12 badge may not be realized due\n         to inconsistencies in background checks.\n\n         Finally, our review identified a potential cost savings to the\n         Department if it phased out the use of RSA\xc2\xae tokens for remote\n         access. As noted by the National Institute of Standards and\n         Technology, a PIV card solution must support the same technology\n         used by tokens to allow two-factor authentication. In addition, a\n         recent study by NNSA noted that significant savings could be\n         realized by making such a transition. While we acknowledge there\n\nPage 7                                                    Details of Finding\n\x0c                  are costs associated with implementing HSPD-12, we determined\n                  that the Department could offset some of this cost through\n                  potential savings of up to $600,000 at the locations we visited if\n                  many of its users who possess the HSPD-12 credential were to\n                  authenticate to unclassified systems using the credential rather than\n                  a RSA\xc2\xae token. By doing so, the Department would no longer need\n                  to incur maintenance and license fees associated with the tokens \xe2\x80\x93\n                  fees similar to those already being paid to maintain the HSPD-12\n                  credential.\n\nRECOMMENDATIONS   To help improve the Department\'s ability to effectively implement\n                  physical and logical access control systems in accordance with\n                  HSPD-12, we recommend that the Under Secretary for Nuclear\n                  Security, Acting Under Secretary of Energy and Acting Under\n                  Secretary for Science, in conjunction with the Department\'s and\n                  NNSA\'s Chief Information Officers:\n\n                     1. Develop and implement guidance to fully meet the goals\n                        and requirements of HSPD-12;\n\n                     2. Develop and implement a comprehensive plan that includes\n                        cost analyses and timeframes for implementing physical\n                        and logical access control systems in accordance with\n                        HSPD-12; and,\n\n                     3. Revise Department policy as appropriate to ensure that\n                        uncleared contractors receive credentials in accordance\n                        with the requirements of HSPD-12.\n\n                  In addition, to ensure the Department meets the intended goals of\n                  HSPD-12, we recommend that the Chief Information Officer:\n\n                     4. Consult with OMB, as necessary, regarding the\n                        Department\'s planned approach for badge issuance and the\n                        use of an alternate credential for certain of its contractors.\n\nMANAGEMENT        Department management agreed with the report\'s recommendations\nREACTION          and stated that it had initiated action to address the issues\n                  identified. Management commented that the report\'s findings were\n                  reasonable and provided effective insight and recommendations to\n                  correct discrepancies and improve the management and oversight\n                  of the Department\'s implementation of HSPD-12. In addition,\n                  management stated that it had established an IPT to oversee the\n                  development of HSPD-12 policies, standards and guidelines. In\n                  separate comments, NNSA management concurred with the\n\n\n\n\nPage 8                                         Recommendations and Comments\n\x0c                   report\'s findings and stated that it will use the findings to improve\n                   the management and oversight of NNSA\'s implementation of\n                   HSPD-12.\n\nAUDITOR COMMENTS   Management\'s comments and planned corrective actions are\n                   responsive to our recommendations. Management\'s formal\n                   comments are included in Appendix 3.\n\n\n\n\nPage 9                                                                       Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Department of Energy (Department) had\n              implemented physical and logical access controls in accordance\n              with Homeland Security Presidential Directive 12 (HSPD-12).\n\nSCOPE         The audit was performed between April 2011 and February 2012,\n              at Department Headquarters in Washington, DC and Germantown,\n              Maryland; the Oak Ridge Office, Oak Ridge National Laboratory,\n              East Tennessee Technology Park and Y-12 National Security\n              Complex in Oak Ridge, Tennessee; and, the Savannah River Site\n              in Aiken, South Carolina.\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                   \xe2\x80\xa2   Reviewed Federal laws and regulations associated with\n                       the implementation of HSPD-12;\n\n                   \xe2\x80\xa2   Obtained and reviewed the Department\'s policies and\n                       procedures for implementing physical and logical access\n                       controls associated with HSPD-12;\n\n                   \xe2\x80\xa2   Conducted interviews with various office and site\n                       officials to gain background information on the\n                       Department\'s implementation of HSPD-12;\n\n                   \xe2\x80\xa2   Obtained and reviewed site information relevant to\n                       implementation costs, badge population and\n                       implementation schedules related to HSPD-12;\n\n                   \xe2\x80\xa2   Obtained and reviewed documentation associated with\n                       both the current and future plans of physical and logical\n                       access controls at each site; and,\n\n                   \xe2\x80\xa2   Reviewed prior reports issued by the U.S. Government\n                       Accountability Office and the Office of Inspector\n                       General.\n\n              We conducted this performance audit in accordance with generally\n              accepted Government auditing standards. Those standards require\n              that we plan and perform the audit to obtain sufficient, appropriate\n              evidence to provide a reasonable basis for our findings and\n              conclusions based on our audit objectives. We believe that the\n              evidence obtained provides a reasonable basis for our findings and\n              conclusions based on our audit objectives. Accordingly, we\n              assessed significant internal controls and compliance with laws and\n              regulations to the extent necessary to satisfy the audit objective. In\n              particular, we assessed the Department\'s implementation of the\n              Government Performance and Results Act of 1993 and determined\n\n\nPage 10                                    Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                    that it had established performance measures for implementation of\n                    HSPD-12. Because our review was limited, it would not have\n                    necessarily disclosed all internal control deficiencies that may have\n                    existed at the time of our audit. We did not rely on computer-\n                    processed data to satisfy our audit objective.\n\n                    The Department and NNSA waived an exit conference.\n\n\n\n\nPage 11                                          Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                    RELATED REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Audit Report on Verification of Lawrence Berkeley National Laboratory\'s Contract\n       Workers\' Eligibility to Work in the U.S. (DOE/IG-0850, April 2011). Not all of\n       Lawrence Berkeley National Laboratory\'s (LBNL) subcontractors ensured that\n       individuals employed to work on the site were initially eligible or maintained\n       authorization to work in the U.S. throughout the term of their employment. In addition,\n       some contractors failed to record required key employment eligibility elements. Further,\n       although available for voluntary use by all employers since 2007, we found that none of\n       the 19 LBNL subcontractors included in our review used the U.S. Government\'s E-Verify\n       system to supplement the Form I-9 employee eligibility determination process. These\n       problems occurred, in part, because LBNL contractors did not place sufficient emphasis\n       on ensuring that their employment verification activities complied with Federal law. In\n       addition, Department of Energy (Department) policy did not require site security offices\n       to verify, or even to confirm on a sample basis, the employment eligibility of contract\n       workers before site access is allowed. As a consequence, unauthorized workers may\n       have inappropriately gained access to Federally-funded facilities and could have\n       displaced U.S. citizens or other authorized workers from jobs. Management concurred\n       with the findings and recommendations contained in the inspection.\n\n   \xe2\x80\xa2   Audit Report on Environmental Cleanup Projects Funded by the Recovery Act at the Y-\n       12 National Security Complex (OAS-RA-L-11-02, December 2010). The Y-12 National\n       Security Complex (Y-12) had not included a required clause that was intended to ensure\n       employment eligibility in the American Recovery and Reinvestment Act of 2009\n       (Recovery Act) subcontracts we reviewed. Although the Employment Eligibility\n       Verification clause was effective in December 2009, Y-12 had not flowed down the\n       clause to its subcontractors until September 2010. Specifically, Y-12 management\n       decided it was more efficient to reference the clause in its General Terms and Conditions,\n       which were undergoing revision, rather than incorporating it independently into each\n       subcontract. Y-12 management stated it had mitigating controls to ensure that only U.S.\n       citizens are issued photo badges which are required for access to the Y-12 site. However,\n       Y-12 management acknowledged that it was not required to verify the validity of proof of\n       citizenship as part of its badging process, and we confirmed, that Y-12 does not verify the\n       information with independent parties. While Y-12\'s controls may have been beneficial, it\n       did not provide the independent verification of employment eligibility documentation\n       available through the E-Verify system as required by Federal regulations. Because of the\n       mitigating actions initiated by Y-12, we did not make formal recommendations.\n\nGovernment Accountability Office Reports\n\n   \xe2\x80\xa2   Report on Agencies Face Challenges in Implementing New Federal Employee\n       Identification Standard (GAO-06-178, February 2006). The U.S. Government\n       Accountability Office (GAO) found that the Federal government faces significant\n       challenges in implementing Federal Information Processing Standard (FIPS) 201,\n\n\nPage 12                                                                        Related Reports\n\x0cAppendix 2 (continued)\n\n      including: (1) testing and acquiring compliant commercial products \xe2\x80\x93 such as smart\n      cards and card readers\xe2\x80\x94within required time frames; (2) reconciling divergent\n      implementation specifications; (3) assessing the risks associated with specific vendor\n      implementations of the recently chosen biometric standard; (4) incomplete guidance\n      regarding the applicability of FIPS 201 to facilities, people and information systems; and,\n      (5) planning and budgeting with uncertain knowledge and the potential for substantial\n      cost increases. Until these implementation challenges are addressed, the benefits of FIPS\n      201 may not be fully realized. Specifically, agencies may not be able to meet\n      implementation deadlines established by the Office of Management and Budget (OMB),\n      and more importantly, true interoperability among Federal government agencies\' smart\n      card programs \xe2\x80\x93 one of the major goals of FIPS 201 \xe2\x80\x93 may not be achieved.\n\n  \xe2\x80\xa2   Additional OMB Leadership Needed to Optimize Use of New Federal Employee\n      Identification Cards (GAO-08-292, February 2008). GAO found that although much\n      work had been accomplished to lay the foundations for implementation of HSPD-12, a\n      major Federal government-wide undertaking had not occurred. Agencies had made\n      limited progress implementing and using Personal Identity Verification (PIV) cards. For\n      the limited number of cards that had been issued, most agencies had not been using the\n      electronic authentication capabilities on the cards and had not deployed implementation\n      plans for those capabilities. Without implementing the cards\' electronic authentication\n      capabilities, agencies will continue to purchase costly PIV cards to be used in the same\n      way as the much cheaper, traditional identification (ID) cards being replaced. Until\n      OMB revises its approach to focus on the full use of the capabilities of the new PIV\n      cards, HSPD-12\'s objectives of increasing the quality and security of ID and credentialing\n      practices across the Federal government may not be fully achieved.\n\n\n\n\nPage 13                                                                        Related Reports\n\x0cAppendix 3\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 14                            Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 15      Management Comments\n\x0cAppendix 3\n\n\n\n\nPage 16      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 17                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 18                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0860\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2. What additional information related to findings and recommendations could have been\n        included in the report to assist management in implementing corrective actions?\n\n     3. What format, stylistic, or organizational changes might have made this report\'s overall\n        message more clear to the reader?\n\n     4. What additional actions could the Office of Inspector General have taken on the issues\n        discussed in this report which would have been helpful?\n\n     5. Please include your name and telephone number so that we may contact you should we\n        have any questions about your comments.\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'